On 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
Wang Weijun
weijun.wang at oracle.com
Mon Jul 21 08:22:42 UTC 2014
Please review the updated webrev at
http://cr.openjdk.java.net/~weijun/8038089/webrev.01
Some comment changes. Some arguments rearrangement between classes.
The interface is still in sun.security.ssl. It will be easy to move it to somewhere else later. When module is introduced, we may need to export the interface from java.base to java.security.jgss.
Thanks
Max
On Jul 17, 2014, at 12:35, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> On 7/16/2014 4:41 PM, Wang Weijun wrote:
>> Hi Xuelei
>>
>> A *primitive* version of webrev available at
>>
>> http://cr.openjdk.java.net/~weijun/8038089/webrev.00
>>
>> Please confirm this is the way you like it.
>>
> I have not read too much about the details of the update. But looks
> like it is in the right way.
>
>> ExternalCipherSuite is the service interface and Krb5CipherSuite implements it. It's a modification of the old Krb5Proxy but I've moved as many as Kerberos-related codes to the implementation side so it has less methods now.
>>
>> Most likely we will define this new interface in a public package.
>>
> If krb5 is the only external implementation of TLS cipher suites, I
> think, we may want to try the best not to define public interface if
> possible.
>
> Thanks,
> Xuelei
>
>> I didn't touch any core SSL classes except for ClientHandshaker and ServerHandShaker. If you think there are other places too closely connected with kerberos, please let me know.
>>
>> Ideally, those
>>
>> case K_KRB5: case K_KRB5_EXPORT:
>> Krb5Helper.doXXX(...):
>>
>> should be something like
>>
>> default:
>> getExternalHelper(keyExchange).doXXX(...)
>>
>> but I guess we won't do that unless we know there will be a second implementation.
>>
>> Thanks
>> Max
>>
>>
>>
>>
>>
>>
>
More information about the security-dev
mailing list